Privacy Notice

Last updated: 20 June 2025

Purpose of this notice

The protection of your personal information is of paramount importance to Bupa (“we”, “us” and “our”). We’re (Bupa Global) committed to protecting and using your personal information responsibly.

This privacy notice explains what information we collect about you, how we use it and how we protect it when you buy, use or contact us about our products and services or when you work with us as intermediaries or suppliers.

Personal information means any information about you that directly or indirectly identifies you, such as your name, email or phone number. We will tell you whether the information we are requesting is essential or whether the supply of this information is optional.

This Privacy Notice also tells you how you can exercise your rights, including the right to object to some of the data handling we carry out. More information about your rights and how you can exercise them is set out in the “How to exercise your rights” section below.

Click on the links below to jump to the section:

Who this notice is for

This privacy notice is for:

  • anyone who buys, uses or contacts us about our products and services (such as our health or dental insurance customers) who is based in France, and is serviced by ExpaTPA,
  • patients of our dental practices, our health clinics or the Cromwell Hospital
  • people who work with Bupa, such as intermediaries or suppliers (but not our employees or healthcare professionals)

About us

Who we are:

  • We’re a healthcare organisation that offers a wide range of services to support our customers’ health. When we say ‘Bupa’ in this notice, we mean Bupa Global. Bupa Global is a trading name of Bupa Global Designated Activity Company (BGDAC), a designated activity (insurance) company, having its registered office at Second Floor, 10 Pembroke Place, Ballsbridge, Dublin 4, D04 V1W, and Bupa Insurance Services Limited, (BISL) a company registered in England and Wales at Companies House (Company Number: 3829851) and with a registered office at 1 Angel Court, London EC2R 7HJ. BGDAC is regulated by the Central Bank of Ireland.
  • ExpaTPA means ExpaTPA, Société par Actions Simplifiée de courtage d'assurances au capital de 60.000 Euros - 883 644 676 R.C.S. PARIS, having its Registered Office at 142 rue de Rivoli 75001 Paris, France. ExpaTPA provides policy and claims administration services to Bupa Global DAC members for policies domiciled in France. ExpaTPA is a controller of the personal information collected and processed when you use our products and services.

How we collect your personal information

We collect your personal information from you when you get in touch with us:

  • by phone, where we may record or monitor calls for quality assurance and to make sure we’re keeping to legal rules, codes of practice and internal policies, in this case, you will be informed of the collection of telephone recording data and may object to this
  • by email
  • through our websites, including webchats and virtual assistants
  • through our apps
  • by using our products and services
  • by post
  • by completing an application or other form(s)
  • by entering competitions
  • through social media
Third parties

We also collect information about you from third parties. There’s more information about this under ‘Collecting and sharing your personal information’.

What categories of personal information does Bupa collect

Your data will only be collected and processed by Bupa if there is an appropriate and relevant legal basis for doing so. In particular, we will process your data to protect our own legitimate interests and those of third parties, provided that these interests do not override your fundamental rights and freedoms. The information below details the categories of data that could potentially be collected by Bupa if there is an appropriate and relevant legal basis for doing so.

Basic personal details

Name, membership or registration number or patient ID, age and date of birth.

Contact

Username, address, email address and phone numbers.

Residency, national identifiers

The country you live in and national identifiers such as national identification (i.e., French social security number, NIR), passport number, or health card (Carte Vitale) information.

Communications

Details of any contact we’ve had with you, including phone calls and written complaints.

Financial details

Payments and bank account details.

Employment details

Your role and the company you work for, if your employer pays for your insurance, scheme or treatment.

Criminal offences and convictions

We only process information relating to criminal convictions or offences where expressly permitted by law. This may include checks required under anti-money laundering regulations, using publicly available or lawfully accessible sources. We do not collect or process criminal record information unless legally authorised to do so

Behavioural and usage information

How you use and access our digital services e.g., navigation data when you browse our sites.

Technical information

The devices and technology you use and website browser settings e.g. your IP address, information about your device and information about your browser.

Special category information – sensitive health data

Information about your physical or mental health, including genetic or biometric information. We will only collect this data when necessary for the purpose of servicing your policy, for example to process a claim or pre-authorise treatment.

We may get this information from:

  • application forms
  • notes and reports about your health and any treatment and care you’ve received or need
  • notes from calls and other communications you’ve had with us
  • referrals from your existing insurance provider
  • quotes
  • records of medical services and treatment you’ve received

How we use the personal information we collect

Under data protection laws, we can only process your information if we have a legal reason (known as a ‘lawful ground’) for doing so. Click on the tabs below to find out how we use your personal information. The words in bold are the lawful grounds under data protection laws that we rely on to process your information.You can find out what the different types of information mean under ‘what personal information we collect’.

Provide health, dental and aged care

Type of information we process:

  • Basic personal details
  • Contact
  • Communications
  • Residency
  • Financial details
  • Employment details
  • Special category information
  • Behavioural and usage information
  • Technical

Our reason for processing:

  • It's necessary to provide the services set out in a contract
  • It's required or allowed by law
  • We have a legitimate interest to:
    • deliver our products and services
    • tailor the delivery of our products and services to your specific needs and interests
For special category information:
  • It's necessary for health or social care purposes such as:
    • preventive or occupational medicine
    • assessing your working capacity as an employee
    • medical diagnosis
    • providing healthcare or treatment
    • providing social care
    • managing healthcare or social care systems or services
  • With your consent (if required)
  • When it's in your vital interests

Manage and administer health insurance

Type of information we process:

  • Basic personal details
  • Contact
  • Communications
  • Residency
  • Financial details
  • Employment details
  • Special category information
  • Behavioural and usage information
  • Technical

Our reason for processing:

  • It's necessary to provide the services set out in a contract
  • It's required or allowed by law
    • We have a legitimate interest to:
    • manage our relationship with you, our business and third parties
    • deliver our products and services
    • tailor the delivery of our products and services to your specific needs and interests
    • communicate with our customers and business partners
    • process insurance claims and collect money owed to us
For special category information:
  • It's necessary for insurance purposes such as:
    • advising on, arranging, providing or managing an insurance contract
    • dealing with a claim made under an insurance contract
    • Relating to rights and responsibilities relating to or in an insurance contract or insurance law
  • With your consent (if required)
  • When it's in your vital interests

Customer relationship, complaints, and managing claims

Type of information we process:

  • Basic personal details
  • Contact
  • Communications
  • Residency
  • Financial details
  • Employment details
  • Criminal convictions and offences
  • Behavioural and usage information
  • Location

Our reason for processing:

  • It's required or allowed by law
  • We have a legitimate interest to:
    • manage our relationship with you, our business and third parties
    • resolve issues and answer questions about our products and services
    • investigate and respond to complaints
    • monitor how well we are meeting our clinical and non-clinical performance expectations
    • protect the public against dishonesty, malpractice or other seriously improper behaviour
    • manage a claim where a third party may be at fault
  • With your consent (if required)

Detect and prevent fraud, financial crime and breaches of our terms and policies; carry out anti-money laundering and other background checks

Type of information we process:

  • Basic personal details
  • Contact
  • Communications
  • Residency
  • Financial details
  • Employment details
  • Criminal convictions and offences
  • Behavioural and usage information
  • Technical

Our reason for processing:

  • It's required or allowed by law
  • We have a legitimate interest to:
    • detect and prevent fraud and financial crime
    • ensure compliance with our terms and conditions, and policies

Identify and verify you; monitor access to our products and services

Type of information we process:

  • Basic personal details
  • Contact
  • Residency
  • Employment details
  • Behavioural and usage information
  • Technical

Our reason for processing:

  • It's required or allowed by law
  • We have a legitimate interest to:
    • confirm that you’re an employee of your employer when they are paying for the product or service you’re using
    • confirm you’re an employee of a business we’re purchasing products or services from
    • identify you when you access our digital services and websites
    • identify if you were redirected to our websites through an advert or referral link
    • identify if you‘re under the age of 16
    • identify fraud and fraudulent activity

Administer payments to and from Bupa

Type of information we process:

  • Basic personal details
  • Contact
  • Residency
  • Financial details
  • Employment details

Our reason for processing:

  • It's necessary to provide the services set out in a contract
  • It's required or allowed by law
  • We have a legitimate interest to:
    • take payment and charge for our products and services
    • review invoices and make payments

Communicate and send marketing information to you (by post, phone, email, text and through social media); develop and tailor our marketing and sales activities

Type of information we process:

  • Basic personal details
  • Contact
  • Residency
  • Communications
  • Behavioural and usage information
  • Technical

Our reason for processing:

  • We have a legitimate interest to:
    • market to our customers and prospective customers if they’ve shown an interest in us
    • request feedback and from customers and people we work with
    • follow your contact preferences, marketing, cookies and other tracking such as in-app, profiling and automated decision making (see ‘cookies, AI, analytics and profiling’ for details on this)
    • develop and run tailored marketing
  • With your consent (if required)

Improve our products and services by conducting statistical analysis, market research and other analysis

Type of information we process:

  • Basic personal details
  • Contact
  • Communications
  • Residency
  • Financial details
  • Employment details
  • Health information
  • Other sensitive information
  • Behavioural and usage information
  • Technical

Our reason for processing:

  • We have a legitimate interest to:
    • undertake statistical research and analytics (see ‘cookies, AI, analytics and profiling’ for details on this)
    • understand our customers and the people we work with
    • understand more about our products and services, and how to improve them
  • With your consent (if required)

Protect and secure our company, systems, services and business operations; compliance with laws and regulations; defend ourselves against claims

Type of information we process:

  • Basic personal details
  • Contact
  • Residency
  • Behavioural and usage information
  • Technical

Our reason for processing:

  • It's required or allowed by law
  • We have a legitimate interest to:
    • undertake statistical research and analytics (see ‘cookies, AI, analytics and profiling’ for details on this)
    • understand our customers and the people we work with
    • understand more about our products and services, and how to improve them

Improve training and the quality of our services

Type of information we process:

  • Basic personal details
  • Contact
  • Personal information shared with us during a phone call or other method of communication, such as webchat and email

Our reason for processing:

  • We have a legitimate interest to:
    • monitor phone calls to us for training and to review the quality of our services
    • review online and email exchanges between you and us for training and to review the quality of our services
  • It's required or allowed by law

When we need your consent to process your personal information

When we need it:

We’ll only ask you for consent to process your personal information if there’s no other legal reason to process it, or we think it’s appropriate to do so.

We always tell you when we need it:

We’ll tell you when we need your consent and ask you for it. You will have the option to refuse to give your consent. If we can’t provide a product or service without your consent (for example, we can’t process health insurance claims without health information), we’ll make this clear when we ask for it.

You can always change your mind and withdraw your consent:

If you later withdraw your consent, we’ll be unable to provide you with any product or service that relies on us having your consent to process your personal information.

When we use anonymised information

Anonymised information is where all names and other information that could identify you (such as a membership or registration number or IP address) has been removed. We use it for example:

  • to support clinical research
  • for research and statistical purposes
  • to help us train our people
  • to undertake analytics that help us understand more about our business and make decisions. You’ll find more on this in the analytics section of this privacy notice.

When we use anonymised information, we will:

  • only share it with legitimate third parties
  • always limit the ways and reasons it is processed
  • never sell it

Collecting and sharing your personal information

Sometimes we need to collect your information from, or share it with, other people or organisations. When we share your information, we only share the information needed, and as little of it as possible, for a specific purpose. For example, if you need treatment, we’ll share relevant medical details with your treatment provider.

We have processes in place to make sure that your information is protected when we share it with third parties. If you’re sharing someone else’s personal information with us, please make sure they’ve seen this privacy notice and are comfortable with you giving us their information.

We’ve set out below the types of third parties we collect and share information with, and our reasons for doing so. We may also disclose your personal information to other third parties if we’re required or permitted to do so by law.

All our businesses - third parties

Bupa group of companies

Description

Our affiliated companies, listed at bupa.co.uk/legal-notices/trading-addresses and Bupa Global Legal Notices

Our reason:

  • Deliver our products and services to you
  • Send you communications about products and services that might interest you
  • Undertake statistical research and analysis to understand more about our products and services and how to improve them
  • Understand and improve clinical outcomes for our customers
  • Product and service development
  • Fraud prevention and detection
  • Reporting on business activity and success
  • Enabling us to deliver a seamless experience across our businesses, and give you easy access to our products and services across our businesses

Collect

Yes

Share

Yes

Your parent or guardian (if you are a child), and authorised third parties

Description

You’ve given us consent to speak to a third party on your behalf, such as a family member, lawyer, or a person acting through a mandate agreement.

Our reason:

  • Deliver our products and services to you
  • Manage our relationship with you
  • Set you up as a customer
  • Meet our regulatory obligations or comply with legal requests or legal claims
  • Manage complaints, claims or individual rights requests

Collect

Yes

Share

Yes

Your employer

Description

You’re under a group insurance scheme or health trust, or they’re paying for our services.

You’re working with us in a professional capacity as a business partner.

Our reason:

  • Product or service administration
  • Transfer to a new service provider
  • Set you up as a customer or business partner
  • Manage our relationship with your employer
  • Process and validate invoices, and make or receive payments

Collect

Yes

Share

Yes

Healthcare providers

Description

  • Doctors, clinicians and other healthcare professionals
  • Hospitals and clinics
  • Dental laboratories
  • Medical laboratories
  • Individuals or organisations who pay for your care

Our reason:

  • So you can give or have treatment
  • Process and validate invoices, and make or receive payments
  • To investigate complaints, claims and possible fraudulent activity

Collect

Yes

Share

Yes

Medical regulators, bodies and associations our consultants belong to

Description

Professional associations our consultants belong to or are regulated by, including:

  • Haute Autorité de Santé (HAS)
  • Agence Régionale de Santé (ARS)
  • Ordre des Médecins / Ordre des Chirurgiens-Dentistes
  • Caisse Primaire d’Assurance Maladie (CPAM)

And any other regulators, bodies or associations that are relevant in the country you received treatment

Our reason:

  • For safeguarding purposes
  • Investigate complaints and clinical incidents
  • Monitor quality and performance

Collect

Yes

Share

Yes

Credit reference and fraud prevention agencies

Description

  • Health insurance counter-fraud groups
  • Financial crime screening services

Our reason:

  • Detect and prevent fraud
  • Meet our regulatory and legal obligations

Collect

Yes

Share

Yes

Debt collection agencies

Description

Debt collection agencies we engage to act on our behalf.

Our reason:

Recover money owed to us

Collect

Yes

Share

Yes

Third party that buys or takes over any of our businesses

Description

  • Lawyers, auditors, actuaries and tax advisors
  • Translators and interpreters

Our reason:

  • Support us to manage our business and meet our regulatory obligations
  • Gain advice on business decisions and strategy

Collect

No

Share

Yes

Public sector bodies, government and regulatory organisations

Description

  • Government and their agencies
  • Law enforcement agencies, like the Police
  • Authorities and regulators such as the Financial Conduct Authority (FCA) or Prudential Regulation Authority (PRA)
  • Data protection supervisory authorities such as the French Data Protection Authority (CNIL)
  • French judicial authorities and courts

Our reason:

  • Comply with our legal and regulatory obligations
  • Protect our rights

Collect

No

Share

Yes

Public data sources

Description

  • Electoral register
  • Information about you on social media
  • For our business partners, public sources that include professional information about you

Our reason:

  • Validate and update our records
  • Understand how our customers and business partners have reviewed or discussed us or our competitors online
  • Check our business partners are legitimate, of good standing and quality, and investigate possible fraudulent activity or complaints

Collect

Yes

Share

No

Suppliers who process your personal information on our behalf

Description

We put measures in place to ensure that our suppliers process your personal information fairly and in line with our expectations. We use the types of suppliers listed below:

  • IT service providers: Cloud storage, databases and data repositories, practice management systems, customer relationship management systems (CRM), communication and phone software, back-up solutions, network security and monitoring solutions and other 'software as a service' providers
  • Marketing, sales and business development: market and customer research consultants, social media platforms and marketing and digital marketing agencies, data set and contact list providers
  • Customer service support: outsourced support with customer communication and servicing, including translation

Our reason:

  • Help us run our business
  • Manage our relationship and communicate with you
  • Provide our products and services to you
  • Understand our customers and market to them
  • Identify and communicate with people that might be interested in our products and services
  • Grow our business and keep our customers

Collect

Yes

Share

No

Bupa Global - third parties

Policyholders

Description

Main policyholder, if you are a dependant under an insurance policy.

Our reason:

  • Manage our relationship with you and the policyholder
  • Issue invoices, request and take payment

Collect

Yes

Share

Yes

Funders arranging services

Description

  • Insurance brokers
  • Your agents
  • Other intermediaries

Our reason:

  • Confirm you're entitled to claim discounts on our products and services
  • Manage our relationship with you through your broker or agent
  • Discuss purchase, renewal and availability of our products and services through your broker and agent
  • Set you up as a customer or business partner

Collect

Yes

Share

Yes

Other insurers and reinsurers

Description

  • Other health and benefit insurers
  • Reinsurers

Our reason:

  • Set you up as a customer
  • Support you to transfer to a new insurer
  • Manage and settle claims that are a third party’s fault
  • If reinsurance is necessary

Collect

Yes

Share

Yes

Travel assistance services

Description

Evacuation or repatriation providers

Our reason:

To arrange evacuation or repatriation

Collect

Yes

Share

Yes

Transferring your personal information abroad

Bupa Global

We work with organisations (such as healthcare providers, other Bupa companies, and IT providers) that operate in, or from, various countries worldwide. This means that your information will be transferred to, or accessed from, countries located outside the European Union and/or European Economic Area ("EAA").

Here’s how we keep your personal information safe when we do this:

Protection by local law

Certain countries are considered safe by regulators since they have adequate data protection laws. We can freely transfer your personal information where needed.

The CNIL and the European Commission have lists of which countries they consider to have adequate protection for personal information.

Protection by other safeguards

We can also transfer personal information to countries that have not been assessed as adequate if we use appropriate safeguards. The main safeguards we use are:

  • regulator-approved Standard Contractual Clauses
  • additional contractual, organisational, and technical measures (as required following a risk assessment of the transfer)

Transfers within the Bupa group are covered by an agreement that contractually obliges each company to ensure an adequate and consistent level of protection.

ExpaTPA

In the provision of administration and claims services, ExpaTPA endeavours to store Personal Data in France, or at least within the European Economic Area (EAA).

However, it is possible that the Data they collect when you use their platform or as part of our services may be transferred to other countries. This is the case, for example, if some ExpaTPA service providers are located outside the European Economic Area.

In the event of a Transfer of this type, ExpaTPA guarantees that it will be carried out:

  • to a country offering an adequate level of protection, i.e. a level of protection equivalent to that required by European regulations
  • within the framework of standard contractual clauses
  • within the framework of internal company rules

How long we keep your information for

Bupa Global

For our insurance businesses, Bupa Global typically keeps personal information for seven years after you stop being our customer or business partner in line with our legal obligations and business needs.

How we calculate how long we keep your information for

How long we keep your information depends on several factors:

  • how long you’ve been a customer with us, the types of products or services you have with us, any relevant events and when you’ll stop being our customer
  • how long it’s reasonable to keep records to show we’ve met the obligations we have to you and by law
  • any periods set by law or recommended by regulators, professional bodies or association
  • any time limits for making a legal claim
  • any relevant proceedings that apply

We often have to keep your personal information to comply with a legal obligation, and this means that if you ask us to delete your personal information before the retention period has expired, we’ll be unable to do so.

ExpaTPA

ExpaTPA retains Personal Data only for as long as is necessary to fulfil the purpose for which it was collected. Retention periods vary depending on a number of factors, such as:

  • ExpaTPA’s business needs
  • contractual requirements
  • legal obligations
  • recommendations from supervisory authorities

The retention periods for your data which are held by ExpaTPA are as follows:

  • Contract Management - 10 years
  • Manage your customer account - 2 years
  • Claims and after-sales service management - 2 years
  • Claims management, including images and documents - 7 years
  • Drawing up statistics to improve products and services - 5 years
  • Satisfaction surveys and opinion polls - 2 years
  • Pre-litigation and litigation management - 5 years
  • Fighting Fraud - 10 years
  • Combating money laundering and the financing of terrorism - 10 years
  • General and subsidiary accounting - 10 years

Cookies, AI, analytics and profiling

For information on certain technologies we use to process your personal information, your choices and rights, please see Bupa Global’s Cookies, AI, analytics and profiling Policy which covers the following:

  • cookies and tracking technologies
  • profiling and automated decision making
  • artificial intelligence and machine learning
  • analytics

ExpaTPA's cookie policy can be found at https://expatpa.com/Home/CookiePolicy

Your choices and rights

Here you’ll find information on how to control your personal information and the rights you have under the law.

Opting out from marketing

You can ask us to stop sending you email marketing by clicking on the ‘unsubscribe’ link in any marketing emails we send you.

For all other types of marketing, you can opt out (ask us not to send it) or change your preferences:

Need to know:

  • You can’t unsubscribe from service communications. These are communications we need to send you for administrative or customer service reasons.

Your rights

You have rights under privacy law about your personal information.

Right of access

You can ask us for a copy of the personal information we hold about you.

Right to rectification

You can ask us to correct or remove inaccurate information we hold about you.

Right to restriction of processing

You can ask us to use your information for restricted purposes only.

Right to portability

You can ask us to send your information to you or to someone else in a format that can be read by computer.

Right to erasure

You can ask us to delete your information if there’s no good reason for us to keep it. If there’s a reason why we can’t do this, for example legally we need to keep it for a certain length of time, we’ll let you know.

Right to withdraw consent

You can withdraw any consent you’ve given us. We’ll let you know if we have to stop providing a product or service to you as a result. Any processing of your personal information that happened before you withdrew your consent will remain lawful.

Right to set up guidelines for after your death

You have the right to set up guidelines for the retention, deletion, and disclosure of your personal data after your death.

Right to object

You can object to us processing your information when:

  • we’re processing it or profiling you for direct marketing purposes
  • we’re processing it for a legitimate interest (see ‘how we use the personal information we collect’ for when this applies)
  • our processing is based on a task carried out in the public interest (such as prevention of crime)

However, we may be unable to action your objection if there’s an overriding reason or the processing is necessary for legal claims. We’ll tell you if this applies when you contact us.

You don’t always have the right to object. We’ll let you know if you can’t and our reasons for turning down your objection.

Rights in relation to profiling and automated decisions

You can ask us not to make solely automated decisions about you or use profiling if this has a legal effect on you or an effect as significant as a legal effect.

You can also ask us to reconsider an automated decision and find out more how the decision was made. If you do, we’ll see if we can review the decision and let you know the outcome.

We may be unable to action with your request if:

  • the automated decision making or profiling is necessary for us to enter into a contract
  • we’re authorised by law to make an automated decision or undertake profiling.

You also have a right to make a complaint to your local privacy supervisory authority

If you’d like to do this, please tell us first, so we have a chance to address your concerns.

If we are unable to address your concerns, you can complain to:

  • the Data Protection Commissioner www.dataprotection.ie who can be contacted at, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland. Tel +353 (0)761 104 800 or +353 (0)57 868 4800 or
  • the Commission Nationale de l'Informatique et des Libertés – CNIL who can be contacted at, 3 Place de Fontenoy, TSA 80715 – 75334 Paris, Cedex 07. Tel. +33 1 53 73 22 22
  • if you’re based in another country, we’ll let you know your relevant authority.

How to exercise your rights

If you want to exercise your rights, please email: [email protected].

What to expect

  1. Identification - We may ask you to confirm your identity and provide information that helps us understand your request better.
  2. We’ll let you know if we can fulfil your request - Unless you’re exercising an absolute right (such as the right to object to the processing of personal information for direct marketing purposes), we may be unable to fulfil your request. We’ll let you know and explain why.
  3. Our response - We’ll respond to requests about automated decisions in 21 days. For all other requests, we’ll tell you within one month what action we’ve taken, starting from the day we receive them.

How to get in touch or complain

If you have any questions, comments or would like to complain about this notice, or any other questions about the way we process your information, please get in touch with our Data Protection Officer and privacy team.

  • By email: [email protected]
  • By post: C/O Bupa. ExpaTPA, 142 Rue de Rivoli, 75001 Paris – France